Greg Broiles wrote about randomizing survey answers:
That doesn't sound like a solution to me - they haven't provided anything
to motivate people to answer honestly, nor do they address the basic
problem, which is relying on the good will and good behavior of the
marketers - if a website
Terrific article below about the Irish Travellers, an inbred gypsy-like
society which has decades of practice in anonymity, multiple identities,
secret languages, fake IDs, and other cypherpunk-like practices. They
live in trailer parks and make their living with home improvement scams
and
Greg Broiles wrote about randomizing survey answers:
That doesn't sound like a solution to me - they haven't provided anything
to motivate people to answer honestly, nor do they address the basic
problem, which is relying on the good will and good behavior of the
marketers - if a website
Lucky Green wrote:
AARG! Wrote:
In addition, I have argued that trusted computing in general
will work very well with open source software. It may even
be possible to allow the user to build the executable himself
using a standard compilation environment.
What AARG! is failing to
Lucky Green wrote:
AARG! Wrote:
In addition, I have argued that trusted computing in general
will work very well with open source software. It may even
be possible to allow the user to build the executable himself
using a standard compilation environment.
What AARG! is failing to
Here is a functional block diagram of the Palladium software, based on
a recent presentation by Microsoft. My notes were a bit sketchy as I
rushed to copy down this slide, so there may be some slight errors.
But this is basically what was shown. (Use a monospace font to see
it properly.)
Niels Ferguson wrote:
At 16:04 16/09/02 -0700, AARG! Anonymous wrote:
Nothing done purely in software will be as effective as what can be done
when you have secure hardware as the foundation. I discuss this in more
detail below.
But I am not suggesting to do it purely in software. Read
The company I work for has a charitable donation matching program. Do you
have any suggestions for organizations with 501(c)3 status who would be
worthy recipients of a donation? I have EFF and EPIC on my list. Are there
others doing things to protect anonymity and privacy rights?
I am more
The company I work for has a charitable donation matching program. Do you
have any suggestions for organizations with 501(c)3 status who would be
worthy recipients of a donation? I have EFF and EPIC on my list. Are there
others doing things to protect anonymity and privacy rights?
I am more
Len Sassaman has put the ringsig program up at
http://www.abditum.com/~rabbi/ringsig/
First, the ring signature portion has successfully been repaired from
the truncation imposed by the anon remailer in the original post.
Second, unfortunately all of the tabs have been converted to spaces.
Microsoft has apparently just made available a new FAQ on its
controversial Palladium technology at
http://www.microsoft.com/PressPass/features/2002/aug02/0821PalladiumFAQ.asp.
Samples:
Q: I've heard that Palladium will force people to run only
Microsoft-approved software.
A: Palladium
Some credential issuing schemes, such as those from Brands as well as from
Camenisch Lysyanskaya, try to avoid credential sharing by embedding
into the credential some secret which is important and valuable to the
credential holder. Then if the credential is shared, the recipient
learns the
The latest release of Mixmaster claims to be an OpenPGP enhancement
release. I looked at the source more closely, and it seems to contain an
entire pgp implementation. I had previously thought it made external calls
to either pgp or gnupg.
This got me thinking - has anyone tried hacking
There has been an awful lot of discussion on this here in CP land,
so maybe some responses too?
A good place to put forward suggestions to make hard calculations
a requirement of delivery or maybe some digicash to pay for it?
***
Date: Tue, 20 Aug 2002 16:12:51 -0700
There has been an awful lot of discussion on this here in CP land,
so maybe some responses too?
A good place to put forward suggestions to make hard calculations
a requirement of delivery or maybe some digicash to pay for it?
***
Date: Tue, 20 Aug 2002 16:12:51 -0700
The latest release of Mixmaster claims to be an OpenPGP enhancement
release. I looked at the source more closely, and it seems to contain an
entire pgp implementation. I had previously thought it made external calls
to either pgp or gnupg.
This got me thinking - has anyone tried hacking
*** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c,
ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE
CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? ***
Once it works, I'll happily do that, but...
6. Finally, the verification
*** COULD SOMEONE PLEASE FOLLOW THE STEPS ABOVE AND PUT THE ringsig.c,
ringsign, ringver, AND sigring.pgp FILES ON A WEB PAGE SO THAT PEOPLE
CAN DOWNLOAD THEM WITHOUT HAVING TO GO THROUGH ALL THESE STEPS? ***
Once it works, I'll happily do that, but...
6. Finally, the verification
Dr. Mike wrote, patiently, persistently and truthfully:
On Fri, 16 Aug 2002, AARG! Anonymous wrote:
Here are some more thoughts on how cryptography could be used to
enhance user privacy in a system like TCPA. Even if the TCPA group
is not receptive to these proposals, it would be useful
Steps to verify the ring signature file (note: you must have the openssl
library installed):
1. Save http://www.inet-one.com/cypherpunks/dir.2002.08.05-2002.08.11/msg00221.html,
as text, to the file ringsig.c. Delete the paragraph of explanation, and/or any
HTML junk, so the file starts with:
Dr. Mike wrote, patiently, persistently and truthfully:
On Fri, 16 Aug 2002, AARG! Anonymous wrote:
Here are some more thoughts on how cryptography could be used to
enhance user privacy in a system like TCPA. Even if the TCPA group
is not receptive to these proposals, it would be useful
Steps to verify the ring signature file (note: you must have the openssl
library installed):
1. Save http://www.inet-one.com/cypherpunks/dir.2002.08.05-2002.08.11/msg00221.html,
as text, to the file ringsig.c. Delete the paragraph of explanation, and/or any
HTML junk, so the file starts with:
Bruce Schneier wrote about Palladium:
Basically, Pd is Microsoft's attempt to build a trusted computer, much as I
discussed the concept in Secrets and Lies (pages 127-130); read it for
background).
Actually his discussion in the book is about traditional secure OS
concepts such as Multics.
Here are some more thoughts on how cryptography could be used to
enhance user privacy in a system like TCPA. Even if the TCPA group
is not receptive to these proposals, it would be useful to have an
understanding of the security issues. And the same issues arise in
many other kinds of systems
Here are some more thoughts on how cryptography could be used to
enhance user privacy in a system like TCPA. Even if the TCPA group
is not receptive to these proposals, it would be useful to have an
understanding of the security issues. And the same issues arise in
many other kinds of systems
Bruce Schneier wrote about Palladium:
Basically, Pd is Microsoft's attempt to build a trusted computer, much as I
discussed the concept in Secrets and Lies (pages 127-130); read it for
background).
Actually his discussion in the book is about traditional secure OS
concepts such as Multics.
[Repost]
Joe Ashwood writes:
Actually that does nothing to stop it. Because of the construction of TCPA,
the private keys are registered _after_ the owner receives the computer,
this is the window of opportunity against that as well.
Actually, this is not true for the endoresement key,
Joe Ashwood writes:
Actually that does nothing to stop it. Because of the construction of TCPA,
the private keys are registered _after_ the owner receives the computer,
this is the window of opportunity against that as well.
Actually, this is not true for the endoresement key, PUBEK/PRIVEK,
It seems that there is (a rather brilliant) way to bypass TCPA (as spec-ed.) I learned
about it from two separate sources, looks like two independent slightly different
hacks based on the same protocol flaw.
Undoubtedly, more people will figure this out.
It seems wise to suppress the urge and
It seems that there is (a rather brilliant) way to bypass TCPA (as spec-ed.) I learned
about it from two separate sources, looks like two independent slightly different
hacks based on the same protocol flaw.
Undoubtedly, more people will figure this out.
It seems wise to suppress the urge and
[Repost]
Joe Ashwood writes:
Actually that does nothing to stop it. Because of the construction of TCPA,
the private keys are registered _after_ the owner receives the computer,
this is the window of opportunity against that as well.
Actually, this is not true for the endoresement key,
Joe Ashwood writes:
Actually that does nothing to stop it. Because of the construction of TCPA,
the private keys are registered _after_ the owner receives the computer,
this is the window of opportunity against that as well.
Actually, this is not true for the endoresement key, PUBEK/PRIVEK,
Basically I agree with Adam's analysis. At this point I think he
understands the spec equally as well as I do. He has a good point
about the Privacy CA key being another security weakness that could
break the whole system. It would be good to consider how exactly that
problem could be
One of the many charges which has been tossed at TCPA is that it will
harm free software. Here is what Ross Anderson writes in the TCPA FAQ
at http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html (question 18):
TCPA will undermine the General Public License (GPL), under which
many free and open
I thought of another interesting application for trusted computing
systems: mobile agents. These are pieces of software which get
transferred from computer to computer, running on each system,
communicating with the local system and other visiting agents,
before migrating elsewhere.
This was a
Brian LaMacchia writes:
So the complexity isn't in how the keys get initialized on the SCP (hey, it
could be some crazy little hobbit named Mel who runs around to every machine
and puts them in with a magic wand). The complexity is in the keying
infrastructure and the set of signed
One of the many charges which has been tossed at TCPA is that it will
harm free software. Here is what Ross Anderson writes in the TCPA FAQ
at http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html (question 18):
TCPA will undermine the General Public License (GPL), under which
many free and open
I thought of another interesting application for trusted computing
systems: mobile agents. These are pieces of software which get
transferred from computer to computer, running on each system,
communicating with the local system and other visiting agents,
before migrating elsewhere.
This was a
Brian LaMacchia writes:
So the complexity isn't in how the keys get initialized on the SCP (hey, it
could be some crazy little hobbit named Mel who runs around to every machine
and puts them in with a magic wand). The complexity is in the keying
infrastructure and the set of signed
Adam Back writes:
+---++
| trusted-agent | user mode |
|space | app space |
|(code ++
| compartment) | supervisor |
| | mode / OS |
+---++
| ring -1 / TOR |
David Wagner wrote:
To respond to your remark about bias: No, bringing up Document Revocation
Lists has nothing to do with bias. It is only right to seek to understand
the risks in advance. I don't understand why you seem to insinuate
that bringing up the topic of Document Revocation Lists
Mike Rosing wrote:
The difference is fundamental: I can change every bit of flash in my BIOS.
I can not change *anything* in the TPM. *I* control my BIOS. IF, and
only IF, I can control the TPM will I trust it to extend my trust to
others. The purpose of TCPA as spec'ed is to remove my
David Wagner wrote:
To respond to your remark about bias: No, bringing up Document Revocation
Lists has nothing to do with bias. It is only right to seek to understand
the risks in advance. I don't understand why you seem to insinuate
that bringing up the topic of Document Revocation Lists
Adam Back writes:
+---++
| trusted-agent | user mode |
|space | app space |
|(code ++
| compartment) | supervisor |
| | mode / OS |
+---++
| ring -1 / TOR |
Mike Rosing wrote:
The difference is fundamental: I can change every bit of flash in my BIOS.
I can not change *anything* in the TPM. *I* control my BIOS. IF, and
only IF, I can control the TPM will I trust it to extend my trust to
others. The purpose of TCPA as spec'ed is to remove my
On Sat, 10 Aug 2002 17:06:26 -0400, you wrote:
Go look up discussions on google about cryptographic protocols for
internet voting. It just ain't possible without the most strict,
obscene, biometric, draconian, is a person, non-anonymous methods
you ever saw.
Sure it is. The measures, if any
Seth Schoen of the EFF has a good blog entry about Palladium and TCPA
at http://vitanuova.loyalty.org/2002-08-09.html. He attended Lucky's
presentation at DEF CON and also sat on the TCPA/Palladium panel at
the USENIX Security Symposium.
Seth has a very balanced perspective on these issues
Here are the perl scripts I cobbled together to put the ring signature
at the end of the file, after a separator. I called the executable
program from the earlier C source code ringsig. I call these ringver
and ringsign. I'm no perl hacker so these could undoubtedly be greatly
improved.
and bad
aspects of TCPA, as I think Adam has come close to doing a few times,
then it could be a helpful document.
Intel and Microsoft and anonymous chauvanists can and should criticize
such a document if we write one. That will strengthen it by
eliminating any faulty reasoning or errors
and bad
aspects of TCPA, as I think Adam has come close to doing a few times,
then it could be a helpful document.
Intel and Microsoft and anonymous chauvanists can and should criticize
such a document if we write one. That will strengthen it by
eliminating any faulty reasoning or errors
Seth Schoen of the EFF has a good blog entry about Palladium and TCPA
at http://vitanuova.loyalty.org/2002-08-09.html. He attended Lucky's
presentation at DEF CON and also sat on the TCPA/Palladium panel at
the USENIX Security Symposium.
Seth has a very balanced perspective on these issues
Here is the signature block from the ring signature program which got
truncated. I'll try sending it through a few different anon remailers
until it gets through. Replace the lines from the earlier posting
starting with the END PGP PUBLIC KEY BLOCK line.
-END PGP PUBLIC KEY BLOCK-
An article on Salon this morning (also being discussed on slashdot),
http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html,
discusses how the file-trading network Gnutella is being threatened by
misbehaving clients. In response, the developers are looking at limiting
the
Adam Back writes a very thorough analysis of possible consequences of the
amazing power of the TCPA/Palladium model. He is clearly beginning to
get it as far as what this is capable of. There is far more to this
technology than simple DRM applications. In fact Adam has a great idea
for how
I want to follow up on Adam's message because, to be honest, I missed
his point before. I thought he was bringing up the old claim that these
systems would give the TCPA root on your computer.
Instead, Adam is making a new point, which is a good one, but to
understand it you need a true picture
Re the debate over whether compilers reliably produce identical object
(executable) files:
The measurement and hashing in TCPA/Palladium will probably not be done
on the file itself, but on the executable content that is loaded into
memory. For Palladium it is just the part of the program
to the government now, and maybe this is where we get
some advantage from having a broad industry initiative. Our fundamental
goal is let's do the right thing. We have pretty strong feelings about
what the right thing is on terms of making sure that things are truly
anonymous and that key escrow
This program can be used by anonymous contributors to release partial
information about their identity - they can show that they are someone
from a list of PGP key holders, without revealing which member of the
list they are. Maybe it can help in the recent controvery over the
identity
An article on Salon this morning (also being discussed on slashdot),
http://www.salon.com/tech/feature/2002/08/08/gnutella_developers/print.html,
discusses how the file-trading network Gnutella is being threatened by
misbehaving clients. In response, the developers are looking at limiting
the
to the government now, and maybe this is where we get
some advantage from having a broad industry initiative. Our fundamental
goal is let's do the right thing. We have pretty strong feelings about
what the right thing is on terms of making sure that things are truly
anonymous and that key escrow
Anon wrote:
You could even have each participant compile the program himself,
but still each app can recognize the others on the network and
cooperate with them.
Matt Crawford replied:
Unless the application author can predict the exact output of the
compilers, he can't issue a signature on
This program can be used by anonymous contributors to release partial
information about their identity - they can show that they are someone
from a list of PGP key holders, without revealing which member of the
list they are. Maybe it can help in the recent controvery over the
identity
Anon wrote:
You could even have each participant compile the program himself,
but still each app can recognize the others on the network and
cooperate with them.
Matt Crawford replied:
Unless the application author can predict the exact output of the
compilers, he can't issue a signature on
Mike Rosing wrote:
Who owns PRIVEK? Who controls PRIVEK? That's who own's TCPA.
PRIVEK, the TPM's private key, is generated on-chip. It never leaves
the chip. No one ever learns its value. Given this fact, who would
you say owns and controls it?
And then there was this comment in yet
Mike Rosing wrote:
On Fri, 2 Aug 2002, AARG! Anonymous wrote:
You don't have to send your data to Intel, just a master storage key.
This key encrypts the other keys which encrypt your data. Normally this
master key never leaves your TPM, but there is this optional feature
where it can
James Donald writes:
James Donald writes:
I can only see one application for voluntary TCPA, and that is
the application it was designed to perform: Make it possible
run software or content which is encrypted so that it will
only run on one computer for one time period.
On 3
example of how the secure attestation features of
TCPA/Palladium can allow a kind of software which would never work today,
software where people trust each other. Let's look at another example,
a P2P system with anonymity.
Again, there are many cryptographic systems in the literature for
anonymous
Peter Trei writes:
It's rare enough that when a new anononym appears, we know
that the poster made a considered decision to be anonymous.
The current poster seems to have parachuted in from nowhere,
to argue a specific position on a single topic. It's therefore
reasonable to infer
Peter Trei envisions data recovery in a TCPA world:
HoM: I want to recover my data.
Me: OK: We'll pull the HD, and get the data off it.
HoM: Good - mount it as a secondary HD in my new system.
Me: That isn't going to work now we have TCPA and Palladium.
HoM: Well, what do you have to
Sampo Syreeni writes:
On 2002-08-01, AARG!Anonymous uttered to [EMAIL PROTECTED],...:
It does this by taking hashes of the software before transferring
control to it, and storing those hashes in its internal secure
registers.
So, is there some sort of guarantee that the transfer
Sampo Syreeni writes:
On 2002-08-01, AARG!Anonymous uttered to [EMAIL PROTECTED],...:
It does this by taking hashes of the software before transferring
control to it, and storing those hashes in its internal secure
registers.
So, is there some sort of guarantee that the transfer
James Donald writes:
TCPA and Palladium give someone else super root privileges on my
machine, and TAKE THOSE PRIVILEGES AWAY FROM ME. All claims that
they will not do this are not claims that they will not do this,
but are merely claims that the possessor of super root privilege
on my
Eric Murray writes:
TCPA (when it isn't turned off) WILL restrict the software that you
can run. Software that has an invalid or missing signature won't be
able to access sensitive data[1]. Meaning that unapproved software
won't work.
[1] TCPAmain_20v1_1a.pdf, section 2.2
We need to
On Tue, 30 Jul 2002 20:51:24 -0700, you wrote:
When we approve a file, all the people who approved it already get
added to our trust list, thus helping us select files, and we are
told that so and so got added to our list of people who recommend
good files. This gives people an incentive to
James Donald wrote:
On 29 Jul 2002 at 15:35, AARG! Anonymous wrote:
both Palladium and TCPA deny that they are designed to restrict
what applications you run. The TPM FAQ at
http://www.trustedcomputing.org/docs/TPM_QA_071802.pdf reads
They deny that intent, but physically they have
James Donald wrote:
On 29 Jul 2002 at 15:35, AARG! Anonymous wrote:
both Palladium and TCPA deny that they are designed to restrict
what applications you run. The TPM FAQ at
http://www.trustedcomputing.org/docs/TPM_QA_071802.pdf reads
They deny that intent, but physically they have
On Mon, 29 Jul 2002 14:25:37 -0400 (EDT), you wrote:
Congressman Wants to Let Entertainment Industry Get Into Your Computer
Rep. Howard L. Berman, D-Calif., formally proposed
legislation that would give the industry unprecedented new
authority to secretly hack into
On Mon, 22 Jul 2002 11:43:36 -0400, you wrote:
Well, the other possible interpretation is that the Feds are not
black-at-heart, Big Brother, neo Stalinist fascist JBTs
pouncing on any opportunity to make confetti of the Bill of Rights;
but rather are actually trying to respond to 9/11 with a
On Mon, 22 Jul 2002 17:22:34 -0700, you wrote:
Wouldn't this requirement violate the probable cause requirement for seizures
of a person which been defined by a series of cases, beginning with Terry v. Ohio
, 392 U.S. 1, 88 S.Ct. 1868, 20 L.Ed.2d 889 (1968)?
steve
You are quite idealistic.
On Mon, 22 Jul 2002 17:22:34 -0700, you wrote:
Wouldn't this requirement violate the probable cause requirement for seizures
of a person which been defined by a series of cases, beginning with Terry v. Ohio
, 392 U.S. 1, 88 S.Ct. 1868, 20 L.Ed.2d 889 (1968)?
steve
You are quite idealistic.
Read a great article on Slashdot about the recent DRM workshop,
http://slashdot.org/article.pl?sid=02/07/18/1219257, by al3x:
As the talks began, I was brimming with the enthusiasm and anger of an
activist, overjoyed at shaking hands with the legendary Richard
Stallman, thrilled with
Read a great article on Slashdot about the recent DRM workshop,
http://slashdot.org/article.pl?sid=02/07/18/1219257, by al3x:
As the talks began, I was brimming with the enthusiasm and anger of an
activist, overjoyed at shaking hands with the legendary Richard
Stallman, thrilled with
On Tue, 16 Jul 2002 15:15:31 -0400, you wrote:
Thus the legal climate has fundamentally changed, and one can
assume that since the Bush administration has been pushing for the
passage of this bill that they perhaps intend to start prosecuting at
least some category of radio under the
On Tue, 16 Jul 2002 15:15:31 -0400, you wrote:
Thus the legal climate has fundamentally changed, and one can
assume that since the Bush administration has been pushing for the
passage of this bill that they perhaps intend to start prosecuting at
least some category of radio under the
David Wagner wrote:
Anonymous wrote:
Legislation of DRM is not in the cards, [...]
Care to support this claim? (the Hollings bill and the DMCA requirement
for Macrovision in every VCR come to mind as evidence to the contrary)
The line you quoted was the summary from a message which
David Wagner wrote:
Anonymous wrote:
Legislation of DRM is not in the cards, [...]
Care to support this claim? (the Hollings bill and the DMCA requirement
for Macrovision in every VCR come to mind as evidence to the contrary)
The line you quoted was the summary from a message which
Tim May writes:
As everyone should know by now, and probably does, the Social Security
scheme in the U.S. is nothing more than a large Ponzi scheme. Payroll
taxes, amounting to about 15% of income up to some level (ratcheted
upwards every few years), go straight into the General Fund,
Tim May writes:
As everyone should know by now, and probably does, the Social Security
scheme in the U.S. is nothing more than a large Ponzi scheme. Payroll
taxes, amounting to about 15% of income up to some level (ratcheted
upwards every few years), go straight into the General Fund,
On 9 Jul 2002 at 14:02, Tim May wrote:
Unless one's stay is a short one (see below), income or other
money earned while in the U.S. (and maybe earned outside the
U.S. if the IRS can make a nexus case) is taxable.
The question really is: Suppose one becomes a US citizen, and
then resides
The death of democracy is at hand.
http://www.zmag.org/meastwatch/hertz.htm
Several people have suggested that DRM software is not bad in and
of itself. So long as it is used voluntarily, it is not infringing
on anyone's freedom. In fact they will even agree that voluntary DRM
can be a good thing; it increases people's options and can provide a
mechanism where content
The death of democracy is at hand.
http://www.zmag.org/meastwatch/hertz.htm
Nick Szabo created the idea of Smart Contracts several years ago.
http://www.best.com/~szabo. These would be self-enforcing agreements
that were based on technology rather than laws. It all sounded cool at
the time.
But isn't DRM a form of Smart Contract? If I need a special viewer to
Nick Szabo created the idea of Smart Contracts several years ago.
http://www.best.com/~szabo. These would be self-enforcing agreements
that were based on technology rather than laws. It all sounded cool at
the time.
But isn't DRM a form of Smart Contract? If I need a special viewer to
[Repost]
Lucky asks:
I am looking for a quote by a TCPA or Palladium principal that states
that TCPA and/or Palladium will be voluntary or optional. Google was not
helpful. Did anybody on here run across such a quote in one of the
interviews recently published? Please include the
Seth Schoen writes:
The Palladium security model and features are different from Unix, but
you can imagine by rough analogy a Unix implementation on a system
with protected memory. Every process can have its own virtual memory
space, read and write files, interact with the user, etc. But
Seth Schoen writes:
The Palladium security model and features are different from Unix, but
you can imagine by rough analogy a Unix implementation on a system
with protected memory. Every process can have its own virtual memory
space, read and write files, interact with the user, etc. But
James Donald writes:
On 3 Jul 2002 at 10:48, xganon wrote:
Do you really think that DRM systems could eliminate cypherpunk
applications? Have you thought this through in detail? Please
expand on it.
The system as specified is harmless, because it can run anyone's
code, and thus can
James Donald writes:
On 3 Jul 2002 at 10:48, xganon wrote:
Do you really think that DRM systems could eliminate cypherpunk
applications? Have you thought this through in detail? Please
expand on it.
The system as specified is harmless, because it can run anyone's
code, and thus can
Gee, maybe I should head for Cali and set up a linux cluster shop.
The central feature of
the facility was a $1.5 million IBM AS400
mainframe, the kind once used by banks,
networked with half a dozen terminals and
301 - 400 of 706 matches
Mail list logo